can't ping the host name but can ping the ip

HI,
I am running a w2k server in native mode and yesterday we had a problem with access to the domain controller wasn't accepting any account log on's. We then did a restore from backups and was able to logon to the domain. This morning some users were able to logon but weren't able to access the main dc (server1) by typing in the address "\\server1" but are able to type in the ip address.
The event viewer has this under system

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server1.<domain>. The target name used was DNS/server1.<domain>. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (<domain>), and the client realm. Please contact your system administrator.

Although dc diag reported that everything was in sync with the other dc (server2) can't even log onto the users and computers.

The machine account password for the local machine could not be reset.
Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed Disconnect all the previous connections to the server or shred resource and try again.

I have confirmed that there aren't other administrator connection on the server. There are how ever users currently connected to the server. Will I need them to log off?

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

If this don't resolve your problem it might be the secret channel between the DC and your hosts that are broken. The easiest way is to let the host re-join the domain. Another way is to try to reset the channel with nltest (from the suport tools).

I would re-join the domain on a problem host. Every 60 day the password for the secure channel is changed. This channel is used by computer object to authenticate in the domain and is used ie. when Computer GPO's are processed.

When you restored the DC there might be some outdated passwords in the domain, so give it a shot on one host to see if a re-join fixes your problem.

Krisdeep: You can use netdom to reset the computer object password, but this is handled by the computer object itself, and not the DC. When you re-join a domain the computer object change it own password.

If you want to delete/recreate a kerberos ticket you go with "klist.exe".

TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Enterprise Edition (Service Pack level: 2.0) is supported
NETLOGON service is running
Error: kdc service is not running
[Error details: 1062 (Type: Win32 - Description: The service has not been started.)]
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:
MAC address is 00:04:23:AF:A7:62
IP address is static
IP address: 172.16.1.1
DNS servers:
172.16.1.1 (<name unavailable>) [Valid]
Warning: 168.210.1.41 (<name unavailable>) [Invalid (unreachable)]
Warning: 172.16.1.42 (<name unavailable>) [Invalid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found (primary)
Root zone on this DC/DNS server was not found

Error: Record registrations cannot be found for all the network adapters

Summary of test results for DNS servers used by the above domain controllers:

DNS server: 168.210.1.41 (<name unavailable>)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 168.210.1.41
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
Name resolution is not functional. _ldap._tcp.<domain>. failed on the DNS server 168.210.1.41
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]

DNS server: 172.16.1.42 (<name unavailable>)
1 test failure on this DNS server
This is a valid DNS server
Name resolution is not functional. _ldap._tcp.<domain>. failed on the DNS server 172.16.1.42
[Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]

DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
[Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]

DNS server: 172.16.1.1 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server
Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered

You should never ever use a external DNS internal in your domain. Not even as secondary.

Here how you should set it up:

Domain Controllers should point to themself as prefered DNS. Use the IP of the DC, not the loop back address (127.0.0.1). If you got another DC with DNS, this is your alternative DNS on your first DC.

Your domain clients should use your DC(s) as DNS. Never external DNS sources!!

This is because when a client tries to resolve something, lets say a Global Catalog servers SRV record, it's not any automatic that the client should use his prefered DNS. If a alternative DNS respond quicker the client will use the alternative DNS. This DNS do not know of any SRV records or anything else in your domain.

Is your DNS AD integrated?

Is 172.16.1.42 your other DC? What gateway do your use. Plz. post a "ipconfig /all" from both DCs.

Krisdeep - no sure why last night but I decided to try you first response again and when we ran the command again it reset the password, one reboot later and the machines on the network could access the dc again. thanks for the help everyone

the suggestion that krisdeep gave me didn't work the first time but when we did it last night it work and then the dc's started to talk again and the users computer could access the dc by the dns address. You gotta make sure no one is connected to the server at all for this to work

Featured Post

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed.
Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…

There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…